Sourcefire VRT Rules Update

Date: 2011-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18545 <-> POLICY Microsoft Excel with embedded Flash file transfer attempt (policy.rules, High)
18546 <-> POLICY Microsoft Word with embedded Flash file transfer attempt (policy.rules, High)
18547 <-> POLICY Microsoft Powerpoint with embedded Flash file transfer attempt (policy.rules, High)
18548 <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules, High)
18549 <-> POLICY Microsoft Word with embedded Flash file attachment attempt (policy.rules, High)
18550 <-> POLICY Microsoft Powerpoint with embedded Flash file attachment attempt (policy.rules, High)
18551 <-> SMTP Microsoft Word .doc attachment (smtp.rules, Low)
18552 <-> SMTP Microsoft Excel .xls attachment (smtp.rules, Low)
18553 <-> SMTP Microsoft Excel .xlw attachment (smtp.rules, Low)
18554 <-> SMTP Microsoft Powerpoint .ppt attachment (smtp.rules, Low)

Updated rules:
7583 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set big (spyware-put.rules, Low)
7584 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set open (spyware-put.rules, Low)
7585 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set image (spyware-put.rules, Low)
7586 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - image transferred (spyware-put.rules, Low)
15364 <-> EXPLOIT Ganglia Meta Daemon process_path stack buffer overflow attempt (exploit.rules, High)
16515 <-> SMTP Novell Groupwise Internet Agent RCPT command overflow attempt (smtp.rules, High)
16524 <-> FTP ProFTPD username sql injection attempt (ftp.rules, High)
17294 <-> DOS Microsoft Windows NAT Helper DNS query denial of service attempt (dos.rules, Medium)
17275 <-> SPECIFIC-THREATS Symantec Brightmail AntiSpam nested Zip handling denial of service attempt (specific-threats.rules, Medium)
17483 <-> DNS squid proxy dns A record response denial of service attempt (dns.rules, Medium)
18310 <-> SMTP Microsoft Office RTF parsing remote code execution attempt (smtp.rules, High)
18476 <-> SPECIFIC-THREATS IBM Lotus Notes DOC attachment viewer buffer overflow (specific-threats.rules, High)
18477 <-> SMTP Lotus Notes MIF viewer statement data overflow 2 (specific-threats.rules, High)